Transcript
Campus Technology Insider Podcast May 2023
Listen: A Security Operations Center Powered by Students
00:08
Rhea Kelly: Hello, and welcome to the Campus Technology Insider podcast. I'm Rhea Kelly, editor in chief of Campus Technology, and your host.
Growth in the cybersecurity industry is quickly outpacing the number of skilled workers available to fill the need, with estimates putting the global cybersecurity workforce gap at more than 3 million people. That shortage of IT talent is particularly acute in higher education, where salaries and benefits often can't compete with the corporate sector. In light of those issues, the University of South Carolina Aiken recently found a creative way to staff a new security operations center — and give students hands-on cybersecurity training at the same time. In this episode of the podcast, I spoke with Ernest Pringle, vice chancellor for Information Technology and CIO at USC Aiken, about creating a student-led SOC, helping students put cybersecurity theory into practice, forging regional cybersecurity partnerships, and more. Here's our chat.
Hi Ernest, welcome to the podcast.
Ernest Pringle: Hey, Rhea, how are you?
Kelly: Doing great. Great to have you here. So USC Aiken recently launched a student-led security operations center. And I thought maybe you could take us back to the beginning, you know, how did that initiative start, and why build an in-house SOC, as opposed to, say, outsourcing to an external provider?
01:41
Pringle: We, we've always had the need to have a security operations center. We have a real-live network with real-live threats and sensitive data that we need to protect. And that's always been a nagging concern of mine, is to have a SOC on campus where, where we actually monitor what's going on on our network. We always, just by default, maybe it's my nature, but by default, I always go with the in-house option before I think of outsourcing. So I wanted to try to see if this was something we could do on our own. And the plan for it actually started before the pandemic. We, we were trying to figure out how we could get this done, and the holdup had always been staffing. We were doing a little bit of network monitoring, but it was being done by folks on staff that were already doing other things full time and it was never a fully mature operation. And after the pandemic, we started to notice a lot of cybersecurity activity in our region. Around that time, the Army moved their cybersecurity command from Virginia to Fort Gordon in Augusta, Georgia, which is just across the South Carolina/Georgia border about 17 miles from our campus. And that triggered a lot of cyber activity in our area with companies moving to the area. And so I desperately wanted to tie us into that, but I couldn't figure out how to do it. Also around that time, we, our Academic Affairs unit launched a cybersecurity degree program. And that program, along with all the cyber energy in our region, and all these things going on, it just occurred to me and one of my staff members — well, I'll mention a little bit later, he runs the SOC for us. But it occurred to us that we could use the resources that we have here on campus, which is a real-live network that needed monitoring, and some sharp students that were in this degree program, and turn that into a student-led SOC. And we all benefit from that: students getting some valuable work experience and the university having access to these now young and energetic and smart security analysts that are monitoring our network. So it really grew out of necessity and it has grown into, in the few months that it has actually been active, it's grown into something that we're really proud of.
04:49
Kelly: It sounds like between a cybersecurity degree program and then the regional activity and growth in the cybersecurity industry, that just places cybersecurity higher up on everyone's radar or kind of list of priorities. And I'm wondering if there's anything about the pandemic in particular that made you think this is even more important to, to launch a SOC, you know, like right now?
05:18
Pringle: Absolutely. One of the things that, again, I, you might hear me say this a couple times, but there are a few things that keep me up at night. And during the pandemic, there was a lot of chatter going on amongst CIOs, and amongst chief information security officers, that there would likely be more security incidences across networks across the world, because people were focused on the pandemic, and getting back to work, and their health, and their families, and all these things. And, and sure enough, we started to see some spikes and activity on our network. So I think the, the pandemic brought it to the forefront for a lot of people that weren't thinking about it. Some of us in the IT industry were already thinking about it, but it made us even more nervous, those of us that didn't have an established organization in place that could help counter some of that, that activity.
06:22
Kelly: So when you're building something like this from scratch, how do you, or how did you go about planning what, you know, what — knowing what you need in terms of staffing, setup, funding, you know, what kind of resources are necessary? How did you figure that out?
06:39
Pringle: Well, that's another great question. And if I'm completely honest, we were kind of flying by the seat of our pants, really, just, just based on, of course, we have some, some industry knowledge about what's required, as far as software and monitoring tools and, and those kinds of things. Chris Clark is the young man that I mentioned earlier, he is our SANS-certified staff member on staff. And so he, he had a working knowledge of what was required and what we needed to have a legitimate SOC. But really the, the funding we kind of cobbled together from existing funding, some space, the space for the actual SOC, we converted one of our technology training rooms that we were getting very little use out of, because everybody wants to do online training now here on campus. So we were doing very few in-person training classes. So we converted that room into our SOC. We put monitors on the wall because they look cool, and you know, all these things that we thought we needed. So we were kind of building as we went along, just based on, on personal experience and what we've heard regionally and what we had available as far as space and funding in it. Thankfully it worked out well, because again, I think that cybersecurity energy in our area, and in our region, it brought it to the forefront for everybody.
08:28
Kelly: It's funny that you mentioned the physical space, because I was actually just wondering about that. You know, you hear about computer labs being phased out and repurposed for other things, but I hadn't heard of, you know, a space like that being turned into a SOC.
Pringle: Yeah.
Kelly: Was there anything else you needed to do technologically like with the network? Or, I don't know, like, just from an IT perspective to create a space like that?
08:55
Pringle: No, it was really just building what we needed. We had to, of course, do some, some wiring, and the SOC analysts all sit at tables side by side, and they look at some screens on the wall where we have different types of monitoring tools going — Security Onion and Graylog and a few of those things. So it was mainly just getting the space prepared, but the, the network, it, it was already there and waiting to be monitored by somebody officially. So there wasn't much we needed to do other than physically creating the space and getting desks and computers and getting the displays on the wall.
09:46
Kelly: And I also, I like how you mentioned the staffing issues. It's something that I've heard a lot from CIOs in general in higher ed about the challenge of attracting and retaining IT talent and, you know, losing people to, say, the corporate world and things like that. So I wonder, what has been your experience with staffing issues, like, you know, with the SOC but also in general, and how you manage that issue?
10:16
Pringle: Yeah, I'm no different than, than everybody else — we are, and continue to struggle with staffing. It's a great time in our history to have technical skills, because they're in high demand. Unfortunately for higher ed, and probably all across education, our pay can't compete with some of the Fortune 500 companies that need the same type of technical skills. So, so we miss out on some of those individuals that, that want the higher salaries. Also, the business that we're in with residential customers, and activity always going on campus, going on on campus, it's tough for us to offer remote work in a lot of cases. So that, that's been another challenge — we've missed out on people that, that have gotten used to working remotely during the pandemic and don't want to give that up. So we've seen a lot of that. Fortunately, there, there is still a group of, a group of us that like being in the college environment, and the energy and the excitement and, and the schedule. We kind of, we're able to plan our, our highs and lows with, with the time of year, we know what to expect. So there are some benefits in, but it's hard to find those folks, or persuade them to leave one university and come to ours. So, so it is a challenge, but, but it's not impossible. We've, we've gotten creative with some of our position descriptions, we're, we're hiring younger folks than we typically would in some cases, we're not requiring as much experience as we used to. And that's been refreshing to be able to employ some, some newly minted IT professionals and they come in and, and we train them, we train them up. And sometimes they leave us and go on to bigger and better things. But, but a lot of times we're able to retain them and have them work with us. So it's been a challenge, but it's also been rewarding, it, as well, to, to be able to attract those, those folks. And of course, the SOC is an example of us growing our own, with our senior students in our program work in the SOC. And so, so we're able to pick those folks out before anybody else gets their hands on them. And that they work for us for that one year, for, for their senior year. And hopefully, we'll be able to turn those into other positions within our division and have them stay at our university.
13:18
Kelly: Yeah, so have you had any yet, it might be too early, but students who graduate but want to stay on in, in the IT field at the university?
13:28
Pringle: Still, still too early, we started our program officially in November of last year. So we got a late start, this, this fall will be our first full fall when we start with our seniors. But this group of seniors started in November of last year. And they'll graduate here in a couple of weeks in, in early May. So, still too early to tell, we have our eyes on, on a couple that we think that will want to work with us on a full-time basis. Chris Clark, the young man that I mentioned to you, he, he directs the work of the students in the SOC, but he is also our director of technology operations. And so that includes our networking team and our server administration team. So he has another full-time job that, that keeps him busy most of the time. So if we're lucky, one of the SOC students that we grow and train and, and cultivate, they'll go on to be the next director of the SOC and maybe our chief information security officer and, and have that staff build out as well. So we're hoping that that's how it plays out. But, but if not, we know we'll have a rotating fresh crop of students working in there at least to man the, the, the security analyst positions.
15:03
Kelly: I mean, what a benefit to the degree program to be able to offer this like opportunity for hands-on experience. That also made me wonder, do you, do you have to coordinate kind of the, the job requirements of the SOC or sort of the things, the hands-on learning aspect of the SOC with kind of the desired learning outcomes of the degree program? Is there coordination happening there?
15:30
Pringle: There is, there is. With the, with the degree program, their, their classroom work prepares them in theory for what they'll be doing in the SOC. So, that's a great piece of our relationship. There isn't a whole lot of baseline training that we need to do for the students because they've already learned what it is that they would typically experience in the cybersecurity industry — so that that's been a benefit. But one of the pieces that, that's been a big help to the degree program is these students that we hire are all seniors, and they have to do a capstone project to graduate. And so we're able to offer a hands-on, real-live capstone project that the students can work on. And we work with the professor of the course. And she approves their capstone project, we let her know whether it worked or not, because it's a real-live sandbox really for these students. So that's been a really nice partnership to be able to offer that capstone project for the students and have them know right away whether it worked or not.
16:54
Kelly: Is there a learning curve for students in terms of putting theory into practice? I mean, but, and also sort of what are some common mistakes they might make when they're doing this stuff for the first time?
17:07
Pringle: There is a little bit of a learning curve, but, but not much, not much. They, the program that they're in, again, that the theory is, is very relevant to what they'll be doing with us. Really, what, what we have noticed in what we are working with the students with the, the area that that we're helping them with is the reporting side. Once you discover an issue, once something shows up, how do you put it in clear enough terms that people with a non-technical background can understand it? So whether that's putting it in an e-mail, or writing a report, or how do you report on what it is you found. So that's been one thing that we're helping them with. Also, one of the things that, that struck me was that the students initially were a little bit nervous about letting us know when they found something, because they didn't think it was a legitimate something. They thought maybe it was a false positive, or something we knew about or, something that wasn't that important. And so when we actually told them, hey, yeah, that's good, we didn't know about that, thanks for letting us know, now, they tell us about everything. And so that's a, that's a good thing. You know, we can never have too much information about suspicious activity. So. So those things are really the things that we've noticed that we're helping them with. And it's worked out really well. Like I said, this is our first cohort, cohort of students going through, so we're learning as well. So the next group that starts in August, I'm sure we'll, we'll have a playbook that we'll, we'll work with them from and that'll help their experience as well.
19:07
Kelly: What kinds of things are the students discovering?
19:11
Pringle: Well, one of the main ones that, one of the first ones that one of our students mentioned, they discovered some suspicious activity in an old alumni account that wasn't being monitored. And so that the alumni account was sending out phishing attempts and, you know, doing all the suspicious things that, that would send up a red flag if it was somebody else's account that was being monitored. But it was an old account, it was still there, they spotted it, they let us know. And we were like, hey, yeah, I'm glad you spotted that. We had thought, we had completely forgotten about these alumni accounts that we created, or old retiree accounts that people request that we keep open, but nobody's checking or monitoring or we forgot, forgotten about. And so now that, that sent up a red flag in a lot of different directions on things we need to be keeping an eye on. So, so that, that was a big one for us, is monitoring old or grandfathered accounts that we've had out there that, that we, we also need to keep an eye on. But, but they spotted that for us. And that was something that we probably wouldn't have spotted on our own unless somebody, you know, came back to us after it was too late and said hey, we're getting these phishing attempts from, from this old account, from your domain.
20:44
Kelly: Will that change any policies, you know, in terms of provisioning those, those accounts, or…? Just wondering if that discovery is leading to a more lasting IT policy?
20:59
Pringle: For sure. Yeah, for sure. And I am, that falls squarely on, on me to make sure our policies match up to what we're finding and what we need to stop doing or continue doing. So, so yeah, we'll, we'll make sure that, that we tighten up some of our account provisioning policies and how long we keep those old accounts active, you know, or if we even need to continue doing some of that.
21:34
Kelly: That's great. What has student response been to the program? I mean, I think it's probably the answer is they love it, but I'd love to hear more.
21:43
Pringle: Yeah, yeah, they actually do love it. We, when we first announced what we were doing, we had to limit it to the senior students, because we had students from, from all levels that wanted to be involved. And we actually have a waiting list of students that want to be in the, that want to work in the SOC. So because of the size of the SOC, we only hire three students at a time. But I mentioned at the ribbon cutting and, and every chance I get, this is the first time I've had a waiting list of people wanting to work for me ever, in any capacity. So, so I'm excited that the students want to come and do this work and, and they're energetic, and they want to do a good job. So that, that, that always helps. But the student response has been great. And we're hoping to be able to expand it in the near future.
22:43
Kelly: That actually made me, by the way, wonder, is this a paid position for the students, like a work study thing? Or how does that work?
22:51
Pringle: Yes, yes, it's paid. It's not covered at all by federal work study. So we pay them as part-time students, or excuse me, part-time employees. So they get an hourly wage, and so that, that probably is another reason why it's attractive to the students. So they can work here doing something they like to do rather than having to find a job off campus. But it is, they are paid positions, yes.
23:24
Kelly: Okay. Any surprises that you've run into along the way?
23:30
Pringle: Probably the, a couple that I've already mentioned, that the surprises about the, the old accounts that, that, that are being compromised right under our noses that we weren't aware of. I was surprised by that. Surprised by the, the enthusiasm of the students wanting to participate. To them, it doesn't feel like a part of the curriculum. It feels like, to them it feels like they're actually doing real-live work, which they are. They are, they're actually monitoring our real-live network. But in turn, they are also working towards a degree and gaining valuable experience. And we're getting them ready for the workforce. So, so all those things have been pleasant surprises.
24:25
Kelly I mean, it sounds like it's something that they want to do as opposed to feeling like they have to do it as schoolwork.
24:31
Pringle: Absolutely, absolutely. And they are, they are clamoring to get, get in there and be one of the three that they get to work with. And so we are, we are in the process of making plans to expand the SOC and turn it into an RSOC, a regional SOC where we actually do some work for some local folks, so for network monitoring for local school districts, for a city or county government, we have a hospital right across the street, so maybe we do some network monitoring for the hospital. And, and if the plan goes according to what we think it might, the SOC will end up paying for itself, if we're able to take on some of those people as customers. Now I, my fear is I don't want to halfway do it, and not be able to deliver on what we offer. So I want to make sure we have the right students and the right resources and everything in place before we go that route. But we actually have a faculty member working on a grant, a federal grant, to bring cybersecurity monitoring to rural areas and school districts and local governments, which matches up to what, with what we're trying to do. So if that part works out, we'll build up our, our expertise and the number of students in the meantime, and we'll be ready to, ready to accommodate that, that, when it takes shape. One other exciting collaboration that is actually not pie in the sky, it's actually happening, with all the cybersecurity buzz in our region, the South Carolina National Guard is building their cybersecurity innovation center on our campus. And so that will be the group that monitors cyber activity and threats to, for the South Carolina state government. They'll be right here on our campus. And we've already met with them. In fact, I have a day-long workshop with them next week, planning out what we're going to do as far as collaborating with our SOC. And by the end of it, our students will be working shoulder to shoulder and elbow to elbow with cybersecurity officers, cybersecurity soldiers from, from the South Carolina National Guard. And so that, that'll be another arm of experience that they'll gain. With that collaboration, they'll actually be seeing the threats to our state, not just our university. So it's, it's an exciting time for us, exciting opportunity for these students. And that, that cyber command, I think it's, it's being called now the, the South Carolina National Guard Cybersecurity Innovation Center. And so by the time the building is finally built, it might be called something else, but, but that's, that's what the latest name is. But, but we're excited about that, and that's another, another piece of expansion that we're excited about.
28:14
Kelly: Wow. So not just expanding, but really taking it to another level there.
28:19
Pringle: Yeah. Yeah. Yeah. We're really excited, and the funding has already been approved by the state and the governor. So that's usually a good sign that it's going to happen.
28:28
Kelly: That's a good sign, yeah. Well, thank you so much for coming on and telling us all, all about it. Very exciting stuff.
28:36
Pringle: Well, thank you. Thank you. I appreciate you having me and I hope that information is helpful to anybody listening.
28:45
Kelly: Thank you for joining us. I'm Rhea Kelly, and this was the Campus Technology Insider podcast. You can find us on the major podcast platforms or visit us online at campustechnology.com/podcast. Let us know what you think of this episode and what you'd like to hear in the future. Until next time.
